kino Posted May 25, 2005 Share Posted May 25, 2005 Hi, I know that Spamdeputy is not your department here but I am having some trouble getting any information from that side. I have started reporting spam here but I often get the error above: Ignored No source IP address found, cannot proceed. Add/edit your mailhost configuration Finding full email headers Submitting spam via email (may work better) Example: What spam headers should look like Nothing to do. In fact only 1/15 seem to go through the parser ok when sent from Spamdeputy. Is this something I can resolve from here. I really need to use an automatic solution for this rather than copy+pasting into the forms. On a side note, when a spam email is successfully parsed, do you then also have to click 'send report'? I am reporting as a mole and I was a little unclear about that. Thanks for your advice Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 25, 2005 Share Posted May 25, 2005 OK second answer first...yes you do as that is what tell spamcop that you have checked the parse and confirmed it is correct. The address the reports go to should indicate that it is not being sent outside of spamcop. Second question: You don't state which version of SpamDeputy you are using (Stand-alone of Outlook add-in) and I have no experience with either. If you use the search function of these forums searching all forums for "spamdeputy". I received 25 different threads you might want to scan. If none of those threads answer your problem, post back here with a more detailed description of your setup (OS, software and versions) along with a tracking URL for one of the problem parses (maybe a good parse also for comparison) and we can try to look into it a bit deeper. If it does solve your problem, please post that here as well so we can mark the thread closed. Link to comment Share on other sites More sharing options...
RobertWilliams Posted May 25, 2005 Share Posted May 25, 2005 I TOO just started having this problem.....just this morning, I have received at least 5 e-mails where the sender somehow figured out how to either REMOVE the header info or bypass the computer that adds the info. Check this out: Microsoft Mail Internet Headers Version 2.0 Received: by my.local.server id <x>; Wed, 25 May 2005 07:57:10 -0700 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: binary Subject: Well well wlel! Date: Wed, 25 May 2005 07:57:10 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Message-ID: <x> X-MS-Has-Attach: X-MS-TNEF-Correlator: <x> Thread-Topic: Well well wlel! Thread-Index: AcVgR0ecGHvZ/kMVSHyVhls6AKdSvw== From: "Bauer Q. Game" <x> To: "Robert Williams" <x> I obviously removed all the information that pertained to my system, but from what it looks like, the user is working from a Windows 2003 Exchange Server. Is this now possible with Windows 2003 Server? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 25, 2005 Share Posted May 25, 2005 I TOO just started having this problem.....just this morning, I have received at least 5 e-mails where the sender somehow figured out how to either REMOVE the header info or bypass the computer that adds the info. Check this out: I obviously removed all the information that pertained to my system, but from what it looks like, the user is working from a Windows 2003 Exchange Server. 28531[/snapback] Well, it is up to "my.local.server" to indicate where it got the message from. That MAY be the only header that can be trusted. Link to comment Share on other sites More sharing options...
RobertWilliams Posted May 25, 2005 Share Posted May 25, 2005 Well, it is up to "my.local.server" to indicate where it got the message from. That MAY be the only header that can be trusted. Ok, any clues as to where I would be able to find information on why my server would not report this information? This is the 1st time I've run into this. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 25, 2005 Share Posted May 25, 2005 Ok, any clues as to where I would be able to find information on why my server would not report this information? This is the 1st time I've run into this. 28536[/snapback] Well, you do not indicate what platform your mail server is (Exchange?) which could affect my answer. A couple quick possibilities. Have you performed any upgrades recently? Does your server accept messages from other internal machines that are possibly infected or relaying themselves? (check the logs) Link to comment Share on other sites More sharing options...
RobertWilliams Posted May 25, 2005 Share Posted May 25, 2005 Well, you do not indicate what platform your mail server is (Exchange?) which could affect my answer. A couple quick possibilities. Have you performed any upgrades recently? Does your server accept messages from other internal machines that are possibly infected or relaying themselves? (check the logs) 28538[/snapback] Sorry, yes, I am using Exchange 2000. And no, I haven't made any recent configuration changes to the Exchange server. Also, I still got some messages (before and after) that had the IP Addresses of the sending system. As for the internal messages, I do know that whenever an internal message is received, there are 0b in the header. So, it's not probable that it came from inside. I posted this question on the MS TechNet site also, I will let you know if I hear anything else. Thanks RW Link to comment Share on other sites More sharing options...
kino Posted May 26, 2005 Author Share Posted May 26, 2005 Hi Steven, Thanks for your time in this. I'm using XP Pro here, with Oulook 2002. Yes - this is the spam Deputy plugin version 1.0.7.33. I only downloaded this last week so I believe it's their most up to date one. (www.spamdeputy.com) I have the headers here of two submissions: 1) Unsuccessfully Parsed Return-Path: <Raymond.Wolf[at]pokerstars.com> Received: from my.servername.com (root[at]localhost) by mycompany.com (8.12.11/8.12.11) with ESMTP id j4PH10nm032272 for <x>; Wed, 25 May 2005 18:01:00 +0100 X-ClientAddr: 80.119.41.100 Received: from 100.41.119-80.rev.gaoland.net (100.41.119-80.rev.gaoland.net [80.119.41.100]) by my.servername.com (8.12.11/8.12.11) with SMTP id j4PH0Gn1030657 for <x>; Wed, 25 May 2005 18:00:25 +0100 Received: from bolt-fe3.bolt.com (mail.bolt-fe3 [216.74.152.11]) by be3 (Cyrus v2.2.10) with LMTPA; Wed, 25 May 2005 10:47:39 -0700 X-Sieve: CMU Sieve 2.2 Received: from kittymail.com (bay10-f23.bay10.kittymail.com [203.86.166.62]) by postmark.fe3.postmark.com (8.12.11/8.12.11) with ESMTP id j4BM34K2001238 for <x>; Wed, 25 May 2005 16:55:39 -0100 Received: from mail pickup service by 123mail.net with Microsoft SMTPSVC; Wed, 25 May 2005 12:50:39 -0500 Message-ID: <BAY1__________________________1100[at]phx.gbl> Received: from 64.62.137.76 by by10fd.bay10.123mail.net with HTTP; Wed, 25 May 2005 20:53:39 +0300 X-Originating-IP: [64.62.137.76] X-Originating-Email: [TimothyHoward[at]123mail.net] X-Sender: TimothyHoward[at]123mail.net From: "Timothy" <TimothyHoward[at]123mail.net> To: x Subject: Response Needed Soon Date: Wed, 25 May 2005 19:49:39 +0200 X-OriginalArrivalTime: Wed, 25 May 2005 14:48:39 -0300 (UTC) FILETIME=[8254B350:01C55675] X-mycompany-MailScanner-Information: Please contact the ISP for more information X-mycompany-MailScanner: Found to be clean Status: X-Antivirus: AVG for E-mail 7.0.322 [266.11.16] Mime-Version: 1.0 Content-Type: text/plain; format=flowed Client Update: Several Companies have been competing for your mortgage refinance application over the past 2 weeks. The company that offered the lowest rate, and largest loan quantity has requested your information be verified. [links removed by me] 2) Successfully Parsed Return-Path: <smieusqsfvgcy[at]netscape.net> Received: from my.servername.com (root[at]localhost) by mycompany.com (8.12.11/8.12.11) with ESMTP id j4Q1rgJD000396; Thu, 26 May 2005 02:53:42 +0100 X-ClientAddr: 205.201.127.133 Received: from xx.xx.xx.xxx ([205.201.127.133]) by my.servername.com (8.12.11/8.12.11) with SMTP id j4Q1rOFO000376; Thu, 26 May 2005 02:53:31 +0100 Message-Id: <2005___________________0376[at]my.servername.com> Received: from LDZQF-XC82 (205.201.127.133) by 205.201.127.133; Wed, 25 May 2005 20:48:53 -0600 From: "Deborah Rowell" <smieusqsfvgcy[at]netscape.net> To: x Subject: C$ALIS soft now forgery Date: Wed, 25 May 2005 20:48:53 -0600 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437 X-e3internet-MailScanner-Information: Please contact the ISP for more information X-e3internet-MailScanner: Found to be clean X-spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on my.servername.com X-spam-Level: *** X-spam-Status: No, score=3.3 required=5.0 tests=BAYES_00,HTML_80_90, HTML_IMAGE_ONLY_20,HTML_MESSAGE,MSGID_FROM_MTA_HEADER, Now I look at them both together - I only see my server IP (xx.xx.xx.xxx) in the successfully parsed one. Do you want me to post the tracking URL's here or PM them? Thanks Kino Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 26, 2005 Share Posted May 26, 2005 1) Unsuccessfully Parsed Return-Path: <Raymond.Wolf[at]pokerstars.com> Received: from my.servername.com (root[at]localhost) Â Â Â Â by mycompany.com (8.12.11/8.12.11) with ESMTP id j4PH10nm032272 Â Â Â Â for <x>; Wed, 25 May 2005 18:01:00 +0100 2) Successfully Parsed Return-Path: <smieusqsfvgcy[at]netscape.net> Received: from my.servername.com (root[at]localhost) Â Â Â Â by mycompany.com (8.12.11/8.12.11) with ESMTP id j4Q1rgJD000396; Â Â Â Â Thu, 26 May 2005 02:53:42 +0100 Do you want me to post the tracking URL's here or PM them? 28580[/snapback] Tracking URL's should be all you need to post here as we can get the full message (munged) from there and see exactly what was submitted. For instance, if the blank line presented above were actually in the submission, that would be one reason for a failure. My first question is why are these two headers, which appear to be from the same server, formatted differently? In other words, one has the "for <x>;" part and the other doesn't. All the servers I deal with will either always put that line in or will never put the line in so are we dealing with 2 different servers named "my.servername.com"? Link to comment Share on other sites More sharing options...
kino Posted May 26, 2005 Author Share Posted May 26, 2005 Nope, same server. It's odd. http://www.spamcop.net/sc?id=z767815689z8e...76bc3db7263c7az http://www.spamcop.net/sc?id=z767817326z3e...c7ce39b2349c49z All I could think of is that some of the mail is coming into the one account from redirects (within the same domain). That blank line is there though so you seem to have explained the parse failure. Now to work out why it's there Link to comment Share on other sites More sharing options...
StevenUnderwood Posted May 26, 2005 Share Posted May 26, 2005 Nope, same server. It's odd. http://www.spamcop.net/sc?id=z767815689z8e...76bc3db7263c7az http://www.spamcop.net/sc?id=z767817326z3e...c7ce39b2349c49z All I could think of is that some of the mail is coming into the one account from redirects (within the same domain). That blank line is there though so you seem to have explained the parse failure. Now to work out why it's there 28587[/snapback] OK, but even the "working" one has problems... If you view the message source, there are wrapping problems (any continuation line needs to start with whitepace), another blank line in the X-spam-Status: line and there is no closing boundry on the boundry. Here is an example of the headers when forwarded from spamcop webmail: http://www.spamcop.net/sc?id=z767916515z45...873df977966471z FYI: The text shown at the top of the parse (before the View entire message link) are what the parser is finding for headers. The rest of the message is considered the body of the message. Link to comment Share on other sites More sharing options...
kino Posted May 26, 2005 Author Share Posted May 26, 2005 Sorry I seem to have deleted this post - way too hectic today. Basically I was writing that I would go off and try some of the other automated reporting tools mentioned here: http://www.spamcop.net/fom-serve/cache/122.html And the macro for Outlook discussed here: http://forum.spamcop.net/forums/index.php?...st=0entry5797 Update: Sorry nothing positive to report here The automated macro throws exactly the same error (takes that line out). olspam throws an error: Outlook spam Report Utility: [Collaboration Data Objects - [MAPI_E_NOT_FOUND(8004010f00]] spam Source doesn't even load. http://www.daesoft.com/SpamSource/index.htm -I have tried their fix mentioned for this problem in Outlook 2003 but this isn't the case for 2002. So looks like the automated options either need some programming work or my copy of Outlook is playing up. I'm getting a new copy of Office in a month, I'll come back and try again then. Sorry if this sounds lazy but I really need an automated solution here. I can handle the link clicking for spam approval but not the manual copy + pasting submission. Thanks Link to comment Share on other sites More sharing options...
griffithc Posted June 13, 2005 Share Posted June 13, 2005 Hi I'm also having problems with reporting at Spamcop.net responding to all my submissions with No source IP address found, cannot proceed. However if I use the link www.spamcop.com instead, the headers are parsed and I can send emails directly to the alleged abuse sites. I wonder why the difference? A typical emails that fails with www.spancop.net is Return-Path: <fishbourne_s[at]bonbon.net> Received: from spool-host3.tpgi.com.au ([unix socket]) by spool-host3.tpgi.com.au (Cyrus v2.1.16-TPG) with LMTP; Mon, 13 Jun 2005 20:41:12 +1000 Received: from AMarseille-251-1-72-138.w83-205.abo.wanadoo.fr (AMarseille-251-1-72-138.w83-205.abo.wanadoo.fr [83.205.194.138]) by mail.tpg.com.au (8.12.10/8.12.10) with ESMTP id j5DAeTo1025699; Mon, 13 Jun 2005 20:41:11 +1000 Message-Id: <200506131041.j5DAeTo1025699[at]mail.tpg.com.au> Received: from bonbon.net (mx3.bonbon.net [38.113.3.75]) by AMarseille-251-1-72-138.w83-205.abo.wanadoo.fr (Postfix) with ESMTP id Z0C4P5R693 for <cgilford[at]tpg.com.au>; Mon, 13 Jun 2005 07:41:48 +0000 From: "Barbara" <fishbourne_s[at]bonbon.net> To: <cgilford[at]tpg.com.au> Subject: look through the letter - FAMILY NIGHTMARE Date: Mon, 13 Jun 2005 07:41:48 +0000 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: 2CvAecZRU4CIpuvfROa7mAHemu2A56hpyOn2 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-TPG-Antivirus: Passed Does anyone understand why the standard Spamcop site has a problem. Link to comment Share on other sites More sharing options...
Jeff G. Posted June 13, 2005 Share Posted June 13, 2005 What is displayed between "Parsing header:" and "No source IP address found, cannot proceed."? What is the Tracking URL for your attempt? I copied what you pasted and generated my own Tracking URL http://www.spamcop.net/sc?id=z774451331z9c...d763b158f1d20cz, which appears to parse fine, willing to report to "best contacts postmaster<at>wanadoo.fr abuse<at>wanadoo.fr" (except that "postmaster[at]wanadoo.fr bounces (205 sent : 103 bounces"). By "the standard Spamcop site", do you mean http://spamcop.net/? Please see "Header incomplete, aborting." and "No source IP address found, cannot proceed." per Original SpamCop FAQ & Added Forum Items. It is also possible that you have Mailhosts configured for one site and not the other. Thanks! Link to comment Share on other sites More sharing options...
griffithc Posted June 14, 2005 Share Posted June 14, 2005 Thanks Jeff G! In answer tyo your question, I turned technical details on which certainly helped explain a lot, but not all. I got: ------------------------ Parsing header: 0: Received: from AMarseille-251-1-72-138.w83-205.abo.wanadoo.fr (AMarseille-251-1-72-138.w83-205.abo.wanadoo.fr [83.205.194.138]) by mail.tpg.com.au (8.12.10/8.12.10) with ESMTP id j5DAeTo1025699; Mon, 13 Jun 2005 20:41:11 +1000 No unique hostname found for source: 83.205.194.138 Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header No source IP address found, cannot proceed. Add/edit your mailhost configuration Finding full email headers Submitting spam via email (may work better) Example: What spam headers should look like Nothing to do. ---------------------------- It seems the header including the source in the oldest header line is forged and this type of email cannot be reported. If the originating IP is forged, it means there is nothing one can do at all to report such emails to their origins. The tracking URL is http://www.spamcop.net/sc?id=z774757519zfe...75e0b4c64cf44bz. and yes, I am using //spamcop.net Despite the above, I'm interested to find out why you successfully got it to generate a report and I didn't. Any ideas? Maybe it is the mailhosts. On this issue I'm not quite sure what to do. Cheers Chris Link to comment Share on other sites More sharing options...
griffithc Posted June 14, 2005 Share Posted June 14, 2005 Hi Jeff G I re-entered the mail hosts under the new experimental system and now the reports are there!! Thanks for your help. By the way, can e-mail headers be forged to the point where they are impossible to trace or is there always a means of decyphering the real source? Chris G Link to comment Share on other sites More sharing options...
Jeff G. Posted June 14, 2005 Share Posted June 14, 2005 I'm glad you got it working. Thanks for the update. IIUC, Julian is constantly working to thwart spammers' forgeries and other efforts at avoiding detection. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 14, 2005 Share Posted June 14, 2005 By the way, can e-mail headers be forged to the point where they are impossible to trace or is there always a means of decyphering the real source? 29257[/snapback] That answer depends on where the spam in inserted into the stream and how it got there. Basically, it comes down to which machines to trust that their headers are correct in order to step back another level. If the message came through an open relay of some kind, that will usually be as far back as you can trace it. If the message was inserted on your local network, there may be no way to trace at all. The last header should always be placed there by your ISP and is assumed to be trusted. For the same account, that line should always be the same format as well. Beyond that, it depends on where your ISP got the message. The best way I've found to see what good headers should look like is to send yourself an email message from another account (or have a friend do it) and parse those headers manually and using spamcop. DO NOT REPORT THIS MESSAGE. Link to comment Share on other sites More sharing options...
Wazoo Posted June 14, 2005 Share Posted June 14, 2005 Hi I'm also having problems with reporting at Spamcop.net responding to all my submissions with No source IP address found, cannot proceed. However if I use the link www.spamcop.com instead, the headers are parsed and I can send emails directly to the alleged abuse sites. I wonder why the difference? Does anyone understand why the standard Spamcop site has a problem. 29187[/snapback] There is no "connection" between the original SpamCop.NET and the various items that keep popping up on the sites spamcop.com and spamcop.org ..... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.